#!/usr/bin/env bash
# provision-tunnel.sh — run on FUJI (or wherever ~/.cloudflared/cert.pem lives).
# Creates the chat-saiden tunnel, places the DNS CNAME in the correct zone,
# and scp's the credentials JSON to junkpile.
#
# Idempotent: re-running just verifies + re-syncs credentials.
#
# Watch out: `cloudflared tunnel route dns` auto-zone-detection is unreliable
# across this multi-zone account (saiden.dev + tengu.to share a cert). We
# manage the CNAME via flarectl explicitly to dodge it.
set -uo pipefail

TUNNEL_NAME="chat-saiden"
HOSTNAME="chat.saiden.dev"
ZONE="saiden.dev"
JUNKPILE_DEST="/etc/cloudflared/chat-saiden/chat-saiden.json"

if [[ ! -f "$HOME/.cloudflared/cert.pem" ]]; then
  echo "ERROR: ~/.cloudflared/cert.pem missing — run 'cloudflared tunnel login' first"
  exit 1
fi

# --- 1. Create tunnel (idempotent) ---
echo "[1/3] Tunnel"
if cloudflared tunnel list 2>/dev/null | awk '{print $2}' | grep -qx "$TUNNEL_NAME"; then
  UUID=$(cloudflared tunnel list 2>/dev/null | awk -v n="$TUNNEL_NAME" '$2==n {print $1}')
  echo "      already exists, UUID=$UUID"
else
  cloudflared tunnel create "$TUNNEL_NAME"
  UUID=$(cloudflared tunnel list 2>/dev/null | awk -v n="$TUNNEL_NAME" '$2==n {print $1}')
  echo "      created, UUID=$UUID"
fi
CRED_FILE="$HOME/.cloudflared/${UUID}.json"
if [[ ! -f "$CRED_FILE" ]]; then
  echo "ERROR: credentials missing at $CRED_FILE"
  exit 1
fi

# --- 2. DNS CNAME via flarectl ---
echo "[2/3] DNS"
EXPECTED_TARGET="${UUID}.cfargotunnel.com"
EXISTING=$(flarectl dns list --zone "$ZONE" 2>/dev/null | awk -v fqdn="${HOSTNAME}" '$0 ~ fqdn && $3=="CNAME"')
if [[ -n "$EXISTING" ]]; then
  EX_CONTENT=$(echo "$EXISTING" | awk -F'|' '{gsub(/^ +| +$/,"",$5); print $5}')
  if [[ "$EX_CONTENT" == "$EXPECTED_TARGET" ]]; then
    echo "      CNAME already correct: $HOSTNAME → $EXPECTED_TARGET"
  else
    echo "      ERROR: CNAME exists for $HOSTNAME but points elsewhere: $EX_CONTENT"
    echo "             expected: $EXPECTED_TARGET — fix manually"
    exit 1
  fi
else
  flarectl dns create --zone "$ZONE" --type CNAME --name chat --content "$EXPECTED_TARGET" --proxy
  echo "      created: $HOSTNAME → $EXPECTED_TARGET (proxied)"
fi

# --- 3. Copy credentials to junkpile ---
echo "[3/3] Credentials → junkpile"
scp -q "$CRED_FILE" junkpile:/tmp/chat-saiden.json
ssh junkpile "sudo mkdir -p /etc/cloudflared/chat-saiden && sudo mv /tmp/chat-saiden.json $JUNKPILE_DEST && sudo chown root:chi $JUNKPILE_DEST && sudo chmod 0640 $JUNKPILE_DEST"
echo "      → junkpile:$JUNKPILE_DEST (0640 root:chi)"

echo
echo "Tunnel UUID:  $UUID"
echo "Hostname:     $HOSTNAME"
echo "CNAME target: $EXPECTED_TARGET"
echo
echo "Next: ssh junkpile 'bash ~/chat-saiden/install.sh'"